[Update] 更改查看认证需要的MFA时间间隔

327febaf · ibuler · 0f8d4f5b · 327febaf · 327febaf · 327febaf
Commit 327febaf authored Jun 24, 2019 by ibuler
9 changed files
--- a/apps/assets/api/asset_user.py
+++ b/apps/assets/api/asset_user.py
@@ -10,7 +10,7 @@ from rest_framework import filters
 from rest_framework_bulk import BulkModelViewSet
 from django.shortcuts import get_object_or_404
-from common.permissions import IsOrgAdminOrAppUser
+from common.permissions import IsOrgAdminOrAppUser, NeedMFAVerify
 from common.utils import get_object_or_none, get_logger
 from common.mixins import IDInCacheFilterMixin
 from ..backends import AssetUserManager
@@ -57,7 +57,7 @@ class AssetUserSearchBackend(filters.BaseFilterBackend):
 class AssetUserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
    pagination_class = LimitOffsetPagination
    serializer_class = serializers.AssetUserSerializer
-    permission_classes = (IsOrgAdminOrAppUser, )
+    permission_classes = [IsOrgAdminOrAppUser]
    http_method_names = ['get', 'post']
    filter_fields = [
        "id", "ip", "hostname", "username", "asset_id", "node_id",
@@ -111,22 +111,16 @@ class AssetUserExportViewSet(AssetUserViewSet):
    serializer_class = serializers.AssetUserExportSerializer
    http_method_names = ['get']
-    def list(self, request, *args, **kwargs):
+    def get_permissions(self):
-        otp_last_verify = request.session.get("OTP_LAST_VERIFY_TIME")
+        self.permission_classes.append(NeedMFAVerify)
-        if not otp_last_verify or time.time() - int(otp_last_verify) > 600:
+        return super().get_permissions()
-            return Response({"error": "Need MFA confirm mfa auth"}, status=403)
-        return super().list(request, *args, **kwargs)
 class AssetUserAuthInfoApi(generics.RetrieveAPIView):
    serializer_class = serializers.AssetUserAuthInfoSerializer
-    permission_classes = (IsOrgAdminOrAppUser,)
+    permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify]
    def retrieve(self, request, *args, **kwargs):
-        otp_last_verify = request.session.get("OTP_LAST_VERIFY_TIME")
-        if not otp_last_verify or time.time() - int(otp_last_verify) > 600:
-            return Response({"error": "Need MFA confirm mfa auth"}, status=403)
        instance = self.get_object()
        serializer = self.get_serializer(instance)
        status_code = status.HTTP_200_OK

--- a/apps/assets/templates/assets/_asset_user_list.html
+++ b/apps/assets/templates/assets/_asset_user_list.html
@@ -32,8 +32,9 @@ var assetUserListUrl = "{% url "api-assets:asset-user-list" %}";
 var assetUserTable;
 var needPush = false;
 var prefer = null;
-var lastMFATime = "{{ request.session.OTP_LAST_VERIFY_TIME }}";
+var lastMFATime = "{{ request.session.MFA_VERIFY_TIME }}";
 var testDatetime = "{% trans 'Test datetime: ' %}";
+var mfaVerifyTTL = "{{ SECURITY_MFA_VERIFY_TTL }}";
 function initAssetUserTable() {
    var options = {
@@ -109,7 +110,7 @@ $(document).ready(function(){
    authUsername = $(this).data('user');
    var now = new Date();
    var nowTime = now.getTime() / 1000;
-    if ( !lastMFATime || nowTime - lastMFATime > 60*10 ) {
+    if ( !lastMFATime || nowTime - lastMFATime > mfaVerifyTTL ) {
        mfaFor = "viewAuth";
        $("#mfa_auth_confirm").modal("show");
    } else {

--- a/apps/authentication/api/auth.py
+++ b/apps/authentication/api/auth.py
@@ -194,7 +194,7 @@ class UserOtpVerifyApi(CreateAPIView):
        code = serializer.validated_data["code"]
        if request.user.check_otp(code):
-            request.session["OTP_LAST_VERIFY_TIME"] = int(time.time())
+            request.session["MFA_VERIFY_TIME"] = int(time.time())
            return Response({"ok": "1"})
        else:
            return Response({"error": "Code not valid"}, status=400)

--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -132,3 +132,11 @@ class PermissionsMixin(UserPassesTestMixin):
            if not permission_class().has_permission(self.request, self):
                return False
        return True
+class NeedMFAVerify(permissions.BasePermission):
+    def has_permission(self, request, view):
+        mfa_verify_time = request.session.get('MFA_VERIFY_TIME', 0)
+        if time.time() - mfa_verify_time < settings.SECURITY_MFA_VERIFY_TTL:
+            return True
+        return False
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -374,7 +374,7 @@ defaults = {
    'HTTP_LISTEN_PORT': 8080,
    'LOGIN_LOG_KEEP_DAYS': 90,
    'ASSETS_PERM_CACHE_TIME': 3600,
+    'SECURITY_MFA_VERIFY_TTL': 3600,
 }

--- a/apps/jumpserver/context_processor.py
+++ b/apps/jumpserver/context_processor.py
@@ -17,6 +17,7 @@ def jumpserver_processor(request):
        'VERSION': settings.VERSION,
        'COPYRIGHT': 'FIT2CLOUD 飞致云' + ' © 2014-2019',
        'SECURITY_COMMAND_EXECUTION': settings.SECURITY_COMMAND_EXECUTION,
+        'SECURITY_MFA_VERIFY_TTL': settings.SECURITY_MFA_VERIFY_TTL,
    }
    return context

--- a/apps/jumpserver/settings.py
+++ b/apps/jumpserver/settings.py
@@ -565,6 +565,7 @@ SECURITY_PASSWORD_RULES = [
    'SECURITY_PASSWORD_NUMBER',
    'SECURITY_PASSWORD_SPECIAL_CHAR'
 ]
+SECURITY_MFA_VERIFY_TTL = CONFIG.SECURITY_MFA_VERIFY_TTL
 TERMINAL_PASSWORD_AUTH = CONFIG.TERMINAL_PASSWORD_AUTH
 TERMINAL_PUBLIC_KEY_AUTH = CONFIG.TERMINAL_PUBLIC_KEY_AUTH

--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po